mattermost/review-migration
plugins/review-migration/skills/review-migration/SKILL.md
Analyze Mattermost schema migrations against best practices and generate a review report. Pass a migration number/name as argument or omit to auto-detect new migrations.
$ install --global
skillsauthnpx skillsauth add mattermost/mattermost-ai-marketplace review-migrationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 9:30 AM62.5s2 files scanned
SKILL.md
- name:
- review-migration
- description:
- Analyze Mattermost schema migrations against best practices and generate a review report. Pass a migration number/name as argument or omit to auto-detect new migrations.
- user-invocable:
- true
- allowed-tools:
- Read, Glob, Grep, Bash, Write, WebFetch
Review Migration
Analyze a Mattermost schema migration against best practices and produce a filled-out review report.
Step 1: Load the rules
- Fetch the official Mattermost DB Migration Guide. This is the authoritative source for migration rules, lock types, and best practices. Extract all rules, the lock types table, and the batch processing patterns.
- Read reference.md for supplementary internal knowledge not covered by the official guide (morph driver behavior, large table sizes, empty-table guidance).
Step 2: Find the migration files
If $ARGUMENTS is provided, use it to locate the migration:
server/channels/db/migrations/postgres/$ARGUMENTS*.up.sql
server/channels/db/migrations/postgres/$ARGUMENTS*.down.sql
If $ARGUMENTS is empty, auto-detect new or modified migrations:
- Run
git diff --name-only HEADandgit diff --name-only --cachedto find staged/unstaged migration files. - Run
git diff --name-only main...HEADto find migrations added on the current branch. - If nothing is found, ask the user which migration to review.
Read both the .up.sql and .down.sql files. If the down migration is missing, flag it.
Step 3: Analyze against best practices
Check every SQL statement against the rules from the official guide and reference.md. Pay particular attention to:
- Whether CONCURRENTLY is used (and whether
morph:nontransactionalis present as the first line) - Whether the migration mixes transactional and nontransactional statements in a single file
- Whether the table is empty/feature-flagged (relaxes some rules — see reference.md)
- Backwards compatibility with the previous ESR
Step 4: Generate the review report
Output the following markdown template, filling in every section based on your analysis. Use the exact status values shown: ✅, ❌, or N/A.
If the table is empty or feature-flagged, add a context note at the top: > **Context:** The table is gated by a feature flag and will be empty when this migration runs.
# Schema Migration Review: [version] — [description]
## Schema Changes
- [ ] New table(s): ...
- [ ] New column(s): ...
- [ ] New index(es): ...
- [ ] Modified column(s): ...
- [ ] Dropped object(s): ...
## Safety Analysis
| Check | Status | Notes |
|-------|--------|-------|
| No ALTER COLUMN TYPE | ✅/❌/N/A | ... |
| CREATE INDEX uses CONCURRENTLY | ✅/❌/N/A | ... |
| DROP INDEX uses CONCURRENTLY | ✅/❌/N/A | ... |
| No FOREIGN KEY via ALTER TABLE | ✅/❌/N/A | ... |
| No full-table DELETE/UPDATE | ✅/❌/N/A | ... |
| morph:nontransactional where needed | ✅/❌/N/A | ... |
| Down migration exists | ✅/❌ | ... |
| Transactional/nontransactional split correct | ✅/❌/N/A | ... |
## Backwards Compatibility
- Compatible with previous ESR: Yes/No
- Can previous Mattermost version run with new schema: Yes/No — [explain]
- Impact if not compatible: ...
## Table Locks & Impact
- Tables affected: ...
- Lock types acquired: ... (use lock types from the official guide)
- Impact to concurrent operations: ...
## Zero Downtime
- Possible: Yes/No
- Reason: ...
## Large-Dataset Testing Recommendation
- **Recommended: Yes/No**
- Reason: ...
- Tables to seed for testing: ...
## Test Results (fill manually if testing recommended)
| DB | Table Size | Row Count | Duration | Instance |
|----|-----------|-----------|----------|----------|
| PostgreSQL | | | | |
## SQL Queries
```sql
[contents of the .up.sql file]
```
Step 5: Save the report
Ask the user if they'd like to save the report to a file. Suggest the path:
server/channels/db/migrations/reviews/<migration-name>.md
Related Skills
mattermost/qa-analysis
tools
VerifiedTrustedCommunity
Analyze a GitHub pull request for risk level and generate concrete QA recommendations. Accepts a PR URL or "owner/repo#number" reference. Uses `gh` CLI to fetch the diff and metadata, computes blast radius, scores six risk dimensions, and returns a structured JSON risk assessment. Use when the user invokes /qa-analysis:qa-analysis with a GitHub PR URL or reference, or asks for a PR risk assessment, QA recommendations, or "what should I test?" for a given pull request.
2SKILL.mdUpdated May 23, 2026
mattermost/add-agents-mcp-server
tools
VerifiedTrustedCommunity
Add an MCP (Model Context Protocol) server to a Mattermost plugin so the Agents plugin can call its tools. Use when implementing cross-plugin MCP, exposing AI tools from a Mattermost plugin to the Agents plugin, or wiring up the `pluginmcp` helper from mattermost-plugin-agents.
2SKILL.mdUpdated May 20, 2026
mattermost/create-mattermost-plugin
tools
VerifiedTrustedCommunity
Create a new Mattermost plugin from the starter template in the current directory. Use when creating a new plugin from scratch, scaffolding a Mattermost plugin, or bootstrapping a plugin project.
2SKILL.mdUpdated May 12, 2026
mattermost/security-fix
development
VerifiedTrustedCommunity
Orchestrates test-driven fixes for Mattermost security tickets (Jira/Atlassian) with a Staff Security Engineer mindset: failing secure-behavior tests first, then implementation, then security review and edge-case loops, then opening a non-draft PR that follows `.github/PULL_REQUEST_TEMPLATE.md` when present, with a vague public description (no exploit detail). Use when the user invokes /security-fix:security-fix with a mattermost.atlassian.net browse URL, MM-* security work, backend permission or authorization bugs, or asks for this security TDD workflow.
2SKILL.mdUpdated Apr 29, 2026